\u201cHow should we adapt our cybersecurity controls to address the new WFH reality?" This question is top-of-mind for CIOs and security executives. When it comes to cybersecurity in the post-COVID era, every CIO needs an answer to three key questions:\n\nWhat are the changes in usage patterns and architecture in my IT environment?\nHow do these changes affect risk?\nWhat changes do I need to make to my cybersecurity posture and control environment?\n\nChanges in usage patterns and architecture\nFor many organizations, working from home (WFH) was uncommon, especially for traditional office workers in horizontal business functions like finance, human resources, marketing, and so on. In addition, they are used to going to someone's desk when they need something. This affects usage in two ways: remote access is now critical for many employees, and communication and collaboration solutions are essential for many employees' effectiveness at work.\n\n[ Beware the 9 warning signs of bad IT architecture and see why these 10 old-school IT principles still rule. | Sign up for CIO newsletters. ]\n\nOf particular importance are the most sensitive applications that often run on-premises on separate networks. This poses a problem not only for protection needs, but also for compliance with global and industry regulations. \u00a0\nHow the risks change\nRisk is a function of the probability that some bad event will occur and its impact on the organization. In cybersecurity, the probability is affected by the activities of the attackers and the vulnerability of the IT environment within the context of the normal, legitimate use of the systems. The impact involves the extent to which an attack affects confidentiality, integrity, availability, productivity, and\/or propriety. To understand the effect of COVID-19 use and architecture changes, we have to understand the threats, vulnerabilities, and impact that come with these changes.\nAs with any widespread event like holidays, sporting events, or natural disasters, during the pandemic, we've seen increased hacker activity, with spam and phishing attacks on the rise.\u00a0 In addition, new methods are sometimes employed to commit fraud or otherwise harm organizations due to changes in use. For example, once Zoom became widely used for meetings, hacker "Zoom bombing" became a foregone conclusion. \u00a0\nOf higher risk would be a renewed focus on home networks as WFH becomes a new reality for many, and as road warriors take their activities and common practices from wi-fi hotspots to their home environments. While laptops are often hardened well for these scenarios, home networks have not been significant targets in the past and may need more attention.\nOn the vulnerability side, server and application resources are likely to have an increased attack surface, simply due to IT environments extending network connectivity into homes; this potentially exposes new vulnerabilities of laptops, home networks, and applications across more components (think network stops, or "hops"). Companies that are already used to anytime-anywhere computing know how to deal with these environments, but the new usage patterns and architectures are significant changes for others. With the interconnectedness of organizations and business partners, it may be useful to recognize that those partners, say in a supply chain, are experiencing similar challenges: as a result, the entire connected environment bears increased risk. In this scenario, there may be 3rd, 4th or even 5th parties involved in the activity.\nFinally, COVID-19 brings along with it a whole new level of reliance on communication and collaboration applications that may not have existed previously. This is perhaps the most challenging notion to remember about risk \u2013 even if nothing had changed technically (which isn't true here), the impact can increase, and that is a likely scenario as enterprises work to stay afloat in these challenging times. Impact is also felt on technical support due to the distributed nature of the resources. Any sort of triage or malware infection, etc. will have an increased impact simply due to the additional logistics efforts required to address the problem.\nEffect on the cybersecurity control environment\nHistorically, IT environments have been protected from the "bottom-up" by addressing the physical location (usually a data center), the network, and the servers\/hosts. Economies of scale could be gained in physical security through putting all computing equipment into the same room (data centers, wiring closets, etc.), and in network security by putting all the equipment on the same physical network and using firewalls for separation. These economies of scale have been extended through the use of site-to-site VPNs, web security gateways, and other solutions.\nThough there are fewer economies of scale, endpoint security has been augmented through the years, and enterprise-owned laptops nowadays have fairly strong security. Smartphones, tablets, and employee-owned laptops are another story, however. Some organizations have built out a security program that is all-inclusive while others are still based on an expectation of full asset ownership, on-premises. Of course, many other factors have changed through the years, with distributed computing, the internet, virtualization, cloud, and software-defined everything. Yet many of the same principles have applied. COVID-19 will change all that.\nWithin a day after the first stay-at-home order, the effect of COVID-19 was obvious. The first big hurdle for many organizations was ensuring users could access the necessary applications securely from home. Of course, VPNs are the first line of defense and are extremely common, but the need to address performance and administration became paramount. Changing network security access restrictions and rules has been a huge burden for some.\nYet others are just a bit further along the innovation curve and have had no significant problems at all. These are companies often modeling Google's BeyondCorp architecture or some other zero trust capabilities to introduce dynamic rules assigned to users and applications that change when the location changes. They have deployed multifactor authentication throughout their environment. They have effectively moved security up that stack to focus on users, data, and applications regardless of what devices or networks are typically used or where they are stored.\nCybersecurity professionals have long been aware of the need for more robust controls to protect the increasingly complex computing environments. For some programs where the engineering and integration work have already been done, this may be a good time to consider a slow rollout to a new architecture.\nOther programs that are behind the curve, however, must be even more conservative. The line between balancing the risk of future attack with the downside of potential false positives that impede the productivity of legitimate users has never been finer. Now is not the time for productivity disruption in the name of enhanced security. That doesn't mean ignore it; it means be very, very careful.\nYour 10-point long-term WFH to-do list\nThe advice below assumes that the fires associated with triaging the existing control environment have all been put out and the environment is at least temporarily stable.\nIn the next six months\n\nAutomate, automate, automate \u2013 look for ways to ensure patching, password resets, change control, incident management, and other manual processes are automated wherever and whenever possible.\nDeploy multifactor authentication everywhere \u2013 one lesson that should be apparent to anyone is that you can't rely on passwords for anything, even inside an organization. Though not a silver bullet, multifactor may be the closest thing to a magical elixir cure-all that can reduce risk everywhere.\nDevelop a BYOD plan, even if you normally don't allow BYOD \u2013 ensure you have a way for unmanaged devices to access organization resources without compromising on protection. This includes paying attention to home network security.\nReview your data governance policy and program \u2013 ensure that owners are identified and any policy issues associated with the content are addressed, such as jurisdictional issues with cloud environments.\nUpgrade the 3rd\/4th-party compliance program \u2013 create a program of continuous compliance that does not require site visits. Rely on 3rd party audits, continuous reporting of activity and controls, and robust architecture for protection.\nAssess the need for location- or asset-oriented controls \u2013 work to eliminate the need for applications to run on a certain device or be in a certain location or on a certain network in order to provide protection.\n\nWithin 18 months\n\nCreate a virtual SOC \u2013 either through an MSSP or leveraging SaaS solutions, build out a SOC for anytime, anywhere monitoring.\nSeparate application and data from network and device security \u2013 ensure that applications and data are protected when accessed from any device on any network path.\nImplement a Cloud Security Gateway and\/or Environment \u2013 create a cloud-based environment to route any\/all network traffic through to apply applicable security protection.\nDevelop a Distributed Integrity architecture \u2013 incorporate encryption and integrity into data and applications.